Your message dated Wed, 21 Jun 2023 19:51:05 +0000
with message-id <e1qc3r7-00ae9n...@fasolo.debian.org>
and subject line Bug#1037052: fixed in minidlna 1.3.2+dfsg-1.1
has caused the Debian Bug report #1037052,
regarding minidlna: CVE-2023-33476
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1037052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037052
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: minidlna
Version: 1.3.2+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for minidlna.
CVE-2023-33476[0]:
| ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
| to Buffer Overflow. The vulnerability is caused by incorrect
| validation logic when handling HTTP requests using chunked transport
| encoding. This results in other code later using attacker-controlled
| chunk values that exceed the length of the allocated buffer, resulting
| in out-of-bounds read/write.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-33476
https://www.cve.org/CVERecord?id=CVE-2023-33476
[1] https://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html
[2]
https://sourceforge.net/p/minidlna/git/ci/9bd58553fae5aef3e6dd22f51642d2c851225aec/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: minidlna
Source-Version: 1.3.2+dfsg-1.1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
minidlna, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1037...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated minidlna package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Jun 2023 21:14:33 +0200
Source: minidlna
Architecture: source
Version: 1.3.2+dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Alexander GQ Gerasiov <g...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1037052
Changes:
minidlna (1.3.2+dfsg-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* upnphttp: Fix chunk length parsing (CVE-2023-33476) (Closes: #1037052)
Checksums-Sha1:
6e17d263c48e1e4265af13dec3126653b9319659 2190 minidlna_1.3.2+dfsg-1.1.dsc
abe29630a0e991282144339440ce830d3065f374 24352
minidlna_1.3.2+dfsg-1.1.debian.tar.xz
Checksums-Sha256:
a9f44dfa744939d9c6d520870913e78c09180fba90b10a5a8c485614e6aa8903 2190
minidlna_1.3.2+dfsg-1.1.dsc
772788f38d248a30f0bfb507848ddc804364c82cd7540810a445723fca38edcc 24352
minidlna_1.3.2+dfsg-1.1.debian.tar.xz
Files:
53a9374f909ada24e618cf09764ef459 2190 net optional minidlna_1.3.2+dfsg-1.1.dsc
7ae358c8d955b7f5c33bf4847e1bf744 24352 net optional
minidlna_1.3.2+dfsg-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSQqrpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E+OkQAJWw8r3Am9uj7PQHDth5w3sgqFGC5JOo
HR8ztKIq4g8JiLso0YKH74RDyMIfDJrB+o48OypPgZkNSfu1FJCqTm9Wh804THQq
cUWHKmyX7rOzh1pmUkQYLFEGccopIdmkj9vESDg1zdVy1YdQlqyL8dDDCX8Rvt7T
DP5s3UIF4ECOl+iSRqJLRmjSGpTtN0AHJGSN+UR5cgLMx6Mn+fQ/kLMq+unFNBHW
L1oqqFk2LONbiVbL4KGRE+JfvgckasdV2gIP7+VcdCsObwEkVLM6teU0dGhOnZv1
1DB5Afi+3fShBrb0Fv7WVAkirvlY4OhkYx0NvQUrrFl5VhmKrgPFYu/VPHyQhmUG
pHDa80nYZOGI2yVEEFtB+x7J0DXd7jNBQFcIKw3EpxzhvfvoaEE5o//o3nv6r43T
zxB4GWZw7pGhfgHRBHfELv5gF7nxgylV5wAlMI+WtTevmJtqooBvNEMsghcEXw1e
pwOGCa9+p5AhgWuspJW9SUxmWP02IUuYXmq3GPSM7iH4O/BOuqBi/SMcutM2onUZ
3K3m0yCgY4fvjLvNOn7MRJiFy/CyQuxaFvnW2i1o8uCwUyZLt58Psnfa5qa/DBP6
dgYBbkdzJBAmJfTgPXNfl97m9Fw2/+BcONX0NtfCsi2yNqMpujZOc+0Cs8GgMOK3
66w8rewObXVv
=2Orf
-----END PGP SIGNATURE-----
--- End Message ---
